use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.
the class ChangeExecutor method executeAddition.
private <T extends ObjectType, F extends ObjectType> void executeAddition(ObjectDelta<T> change, final LensContext<F> context, LensElementContext<T> objectContext, ModelExecuteOptions options, ResourceType resource, Task task, OperationResult result) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
PrismObject<T> objectToAdd = change.getObjectToAdd();
if (change.getModifications() != null) {
for (ItemDelta delta : change.getModifications()) {
delta.applyTo(objectToAdd);
}
change.getModifications().clear();
}
OwnerResolver ownerResolver = createOwnerResolver(context, task, result);
try {
securityEnforcer.authorize(ModelAuthorizationAction.ADD.getUrl(), AuthorizationPhaseType.EXECUTION, objectToAdd, null, null, ownerResolver, result);
T objectTypeToAdd = objectToAdd.asObjectable();
metadataManager.applyMetadataAdd(context, objectToAdd, clock.currentTimeXMLGregorianCalendar(), task, result);
if (options == null && context != null) {
options = context.getOptions();
}
String oid;
if (objectTypeToAdd instanceof TaskType) {
oid = addTask((TaskType) objectTypeToAdd, result);
} else if (objectTypeToAdd instanceof NodeType) {
throw new UnsupportedOperationException("NodeType cannot be added using model interface");
} else if (ObjectTypes.isManagedByProvisioning(objectTypeToAdd)) {
ProvisioningOperationOptions provisioningOptions = getProvisioningOptions(context, options);
oid = addProvisioningObject(objectToAdd, context, objectContext, provisioningOptions, resource, task, result);
if (oid == null) {
throw new SystemException("Provisioning addObject returned null OID while adding " + objectToAdd);
}
result.addReturn("createdAccountOid", oid);
} else {
FocusConstraintsChecker.clearCacheFor(objectToAdd.asObjectable().getName());
RepoAddOptions addOpt = new RepoAddOptions();
if (ModelExecuteOptions.isOverwrite(options)) {
addOpt.setOverwrite(true);
}
if (ModelExecuteOptions.isNoCrypt(options)) {
addOpt.setAllowUnencryptedValues(true);
}
oid = cacheRepositoryService.addObject(objectToAdd, addOpt, result);
if (oid == null) {
throw new SystemException("Repository addObject returned null OID while adding " + objectToAdd);
}
}
change.setOid(oid);
task.recordObjectActionExecuted(objectToAdd, objectToAdd.getCompileTimeClass(), oid, ChangeType.ADD, context.getChannel(), null);
} catch (Throwable t) {
task.recordObjectActionExecuted(objectToAdd, objectToAdd.getCompileTimeClass(), null, ChangeType.ADD, context.getChannel(), t);
throw t;
}
}
use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.
the class ChangeExecutor method executeDeletion.
private <T extends ObjectType, F extends ObjectType> void executeDeletion(ObjectDelta<T> change, LensContext<F> context, LensElementContext<T> objectContext, ModelExecuteOptions options, ResourceType resource, Task task, OperationResult result) throws ObjectNotFoundException, ObjectAlreadyExistsException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
String oid = change.getOid();
Class<T> objectTypeClass = change.getObjectTypeClass();
PrismObject<T> objectOld = objectContext.getObjectOld();
OwnerResolver ownerResolver = createOwnerResolver(context, task, result);
try {
securityEnforcer.authorize(ModelAuthorizationAction.DELETE.getUrl(), AuthorizationPhaseType.EXECUTION, objectOld, null, null, ownerResolver, result);
if (TaskType.class.isAssignableFrom(objectTypeClass)) {
taskManager.deleteTask(oid, result);
} else if (NodeType.class.isAssignableFrom(objectTypeClass)) {
taskManager.deleteNode(oid, result);
} else if (ObjectTypes.isClassManagedByProvisioning(objectTypeClass)) {
ProvisioningOperationOptions provisioningOptions = getProvisioningOptions(context, options);
try {
deleteProvisioningObject(objectTypeClass, oid, context, objectContext, provisioningOptions, resource, task, result);
} catch (ObjectNotFoundException e) {
// Object that we wanted to delete is already gone. This can
// happen in some race conditions.
// As the resulting state is the same as we wanted it to be
// we will not complain and we will go on.
LOGGER.trace("Attempt to delete object {} ({}) that is already gone", oid, objectTypeClass);
result.muteLastSubresultError();
}
} else {
try {
cacheRepositoryService.deleteObject(objectTypeClass, oid, result);
} catch (ObjectNotFoundException e) {
// Object that we wanted to delete is already gone. This can
// happen in some race conditions.
// As the resulting state is the same as we wanted it to be
// we will not complain and we will go on.
LOGGER.trace("Attempt to delete object {} ({}) that is already gone", oid, objectTypeClass);
result.muteLastSubresultError();
}
}
task.recordObjectActionExecuted(objectOld, objectTypeClass, oid, ChangeType.DELETE, context.getChannel(), null);
} catch (Throwable t) {
task.recordObjectActionExecuted(objectOld, objectTypeClass, oid, ChangeType.DELETE, context.getChannel(), t);
throw t;
}
}
use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.
the class ChangeExecutor method executeModification.
private <T extends ObjectType, F extends ObjectType> void executeModification(ObjectDelta<T> change, LensContext<F> context, LensElementContext<T> objectContext, ModelExecuteOptions options, ResourceType resource, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
Class<T> objectTypeClass = change.getObjectTypeClass();
PrismObject<T> objectNew = objectContext.getObjectNew();
OwnerResolver ownerResolver = createOwnerResolver(context, task, result);
try {
securityEnforcer.authorize(ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.EXECUTION, objectNew, change, null, ownerResolver, result);
metadataManager.applyMetadataModify(change, objectContext, objectTypeClass, clock.currentTimeXMLGregorianCalendar(), task, context, result);
if (change.isEmpty()) {
// Nothing to do
return;
}
if (TaskType.class.isAssignableFrom(objectTypeClass)) {
taskManager.modifyTask(change.getOid(), change.getModifications(), result);
} else if (NodeType.class.isAssignableFrom(objectTypeClass)) {
throw new UnsupportedOperationException("NodeType is not modifiable using model interface");
} else if (ObjectTypes.isClassManagedByProvisioning(objectTypeClass)) {
ProvisioningOperationOptions provisioningOptions = getProvisioningOptions(context, options);
String oid = modifyProvisioningObject(objectTypeClass, change.getOid(), change.getModifications(), context, objectContext, provisioningOptions, resource, task, result);
if (!oid.equals(change.getOid())) {
change.setOid(oid);
}
} else {
FocusConstraintsChecker.clearCacheForDelta(change.getModifications());
cacheRepositoryService.modifyObject(objectTypeClass, change.getOid(), change.getModifications(), result);
}
task.recordObjectActionExecuted(objectNew, objectTypeClass, change.getOid(), ChangeType.MODIFY, context.getChannel(), null);
} catch (Throwable t) {
task.recordObjectActionExecuted(objectNew, objectTypeClass, change.getOid(), ChangeType.MODIFY, context.getChannel(), t);
throw t;
}
}
use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.
the class Clockwork method authorizeContextRequest.
private <F extends ObjectType> void authorizeContextRequest(LensContext<F> context, Task task, OperationResult parentResult) throws SecurityViolationException, SchemaException {
OperationResult result = parentResult.createMinorSubresult(Clockwork.class.getName() + ".authorizeRequest");
try {
final LensFocusContext<F> focusContext = context.getFocusContext();
OwnerResolver ownerResolver = new LensOwnerResolver<>(context, objectResolver, task, result);
if (focusContext != null) {
authorizeElementContext(context, focusContext, ownerResolver, true, task, result);
}
for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
authorizeElementContext(context, projectionContext, ownerResolver, false, task, result);
}
context.setRequestAuthorized(true);
result.recordSuccess();
} catch (SecurityViolationException | SchemaException | RuntimeException | Error e) {
result.recordFatalError(e);
throw e;
}
}
Aggregations